[英]How to create an IAM role of specific type using boto3?
I'm trying to lock down a user to a specific VPC
in AWS
and following How to Help Lock Down a User's Amazon EC2 Capabilities to a Single VPC |我正在尝试将用户锁定到
AWS
的特定VPC
并遵循如何帮助将用户的 Amazon EC2 功能锁定到单个 VPC | AWS Security Blog . AWS 安全博客。
It is mentioned that we need to create an IAM role
with name VPCLockDown
of type AWS Service
提到我们需要创建一个名为
VPCLockDown
的类型为AWS Service
的IAM role
and add the services for which the role needs access to.并添加角色需要访问的服务。 like
ec2
, lambda
etc.像
ec2
, lambda
等。
I was trying to create this role programatically using boto3
.我试图使用
boto3
以编程方式创建此角色。
I checked the create_role documentation for creating a role using boto3
.我检查了create_role 文档以使用
boto3
创建角色。
However, they haven't mentioned anything to specify the type of role and the services that I can specify that the role should have access to.但是,他们没有提到任何内容来指定角色类型和我可以指定角色应该有权访问的服务。
Is there any way to specify these items while creation of the IAM role
using boto3
有没有办法在使用
boto3
创建IAM role
时指定这些项目
Edit1:编辑1:
I tried creating a service_linked_role as per Sudarshan Rampuria 's answer like我尝试根据Sudarshan Rampuria的回答创建一个 service_linked_role
response = iam.create_service_linked_role(
AWSServiceName='ec2.amazonaws.com',
)
But getting the following error:但收到以下错误:
An error occurred (AccessDenied) when calling the CreateServiceLinkedRole operation: Cannot find Service Linked Role template for ec2.amazonaws.com
调用 CreateServiceLinkedRole 操作时发生错误 (AccessDenied):找不到 ec2.amazonaws.com 的服务链接角色模板
You can use create_service_linked_role() function boto3 to link a role to a service.您可以使用 create_service_linked_role() 函数 boto3 将角色链接到服务。 https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_service_linked_role
https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/iam.html#IAM.Client.create_service_linked_role
Here is a policy that allows a specific IAM User to launch an instance ( RunInstances
), but only in a given VPC:这是一个允许特定 IAM 用户启动实例 (
RunInstances
) 的策略,但仅限于给定的 VPC:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2RunInstancesVPC",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": "arn:aws:ec2:ap-southeast-2:111111111111:subnet/*",
"Condition": {
"StringEquals": {
"ec2:vpc": "arn:aws:ec2:ap-southeast-2:111111111111:vpc/vpc-abcd1234" <--- Change this
}
}
},
{
"Sid": "RemainingRunInstancePermissions",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:ap-southeast-2:111111111111:instance/*",
"arn:aws:ec2:ap-southeast-2:111111111111:volume/*",
"arn:aws:ec2:ap-southeast-2::image/*",
"arn:aws:ec2:ap-southeast-2::snapshot/*",
"arn:aws:ec2:ap-southeast-2:111111111111:network-interface/*",
"arn:aws:ec2:ap-southeast-2:111111111111:key-pair/*",
"arn:aws:ec2:ap-southeast-2:111111111111:security-group/*"
]
}
]
}
You might need to change the Region.您可能需要更改区域。 (I tested it in the Sydney region.)
(我在悉尼地区进行了测试。)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.